Strengthening our Cybersecurity Efforts to Protect Patients

Feb 23, 2024 - 10:18 AM by
Rick Pollack, President and CEO, AHA
Rick Pollack Perspective 900x400 12-2023

This week’s cyberattack on Change Healthcare, one of the nation’s largest health care technology companies, is yet another unwelcome reminder of the ability of cybercriminals to take advantage of our mission of caring by disrupting daily operations.

Change Healthcare in 2022 merged with Optum, which is a major provider of services in technology, data, pharmacy care and direct health care, and the cyberattack may carry serious repercussions across the wider health care field. 

The AHA yesterday sent a Cybersecurity Advisory recommending that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from affected systems until it is independently deemed safe to reconnect. We also hosted a call today to provide hospital members the latest on the situation.

Once again, we see that as technology evolves, so has the frequency and sophistication of the high impact ransomware attacks which shut down medical technology in hospitals and health systems and can result in very serious disruption and delay to health care delivery, ultimately risking patient safety. This incident clearly demonstrates the high cyber risk exposure we face as a field through mission critical third parties and their technology.

Currently, a serious ransomware attack is launched against a U.S. health care provider approximately every other week. 

These are threat-to-life crimes, and the AHA has been at the forefront of the effort to fight back, working closely with federal agencies and the hospital field to build trusted relationships and channels for the mutual exchange of cyber threat information, risk mitigation practices and resources to implement these practices.

As a member of an advisory cybersecurity working group, we provided input to the Department of Health and Human Services that resulted in last month’s release of voluntary Cybersecurity Performance Goals for the health care sector, which include 10 “essential” and 10 “enhanced" goals.

These performance goals are targeted at defending against the most common tactics used by cyber-adversaries, and we recommend that the entire health care sector implement these practices.

At the same time, as HHS looks to propose permanent enforceable standards, it is important that any forthcoming regulations must not unfairly penalize hospitals and health systems or hold them accountable for cybercrimes they have no control over, including cyber risk we are exposed to through insecure third-party technology and business associates.

America’s hospitals and health systems are dedicated to protecting their patients and workforce against cyberattacks that can disrupt patient care, risk patient safety and erode privacy by the loss of personal health care data. However, the formidable resources of the nation-state sponsors behind so many of these cyberattacks means that foiling their every attempt is not a realistic goal, and care providers should not be blamed for that. 

Whether hostile nation states directly sponsor such attacks or provide safe harbor for hackers and ransomware gangs, their complicity is clear and the complexity of defending against the attacks even clearer.

Meanwhile, the AHA continues to work publicly as well as behind the scenes with government and private-sector partners to enhance the ability of the health care field to protect patient access to care and reduce the ability of cyber bad actors to pose threats or hold care systems for ransom.

We must be just as relentless in observing best practices and keeping up our guard as our cyber-adversaries are in attempting to extort money or steal confidential information.

This webpage is the best first stop to learn of the many resources AHA provides in the fight against cybercrimes directed against our field. John Riggi, a highly decorated 30-year veteran of the FBI who serves as national advisor for cybersecurity and risk for AHA members, is also a terrific up-to-date resource for hospital and health system leaders. You can view his recent interview on protecting against cyber threats here, or listen to his podcast with the recently retired section chief of the FBI’s Cyber Criminal Operations Section here

When it comes to cybersecurity, we're all in this together. The AHA will continue to work collaboratively with all partners to enhance cybersecurity efforts for the entire health care field, and ensure that patients continue to receive the safe, reliable, quality care they expect and deserve.

Related News Articles

Headline
OCR launches webpage with HIPAA FAQs on Change Healthcare cyberattack
The Department of Health and Human Services’ Office for Civil Rights April 19 launched a webpage answering HIPAA-related FAQs about the Change Healthcare…
Headline
Agencies issue ransomware alert, guidance for securely deploying AI
U.S. and European agencies April 18 recommended organizations implement certain best practices to protect against the latest versions of Akira ransomware,…
Headline
AHA urges Congress to reject cybersecurity proposal in HHS budget request
In a statement submitted to the House Energy and Commerce Health Subcommittee for a hearing April 17 on President Biden’s fiscal year 2025 Health and Human…
Headline
HHS Deputy Secretary Palm discusses Change Healthcare attack and future of cybersecurity
Department of Health and Human Services Deputy Secretary Andrea Palm addressed AHA Annual Membership Meeting attendees about the Administration’s work to…
Headline
Representative Guthrie discusses cybersecurity, prior authorizations and telehealth
Rep. Brett Guthrie, R-Ky., today addressed attendees of AHA’s 2024 Annual Membership Meeting and touched on many of the biggest issues in health care:…
Headline
AHA testifies at hearing on health care cybersecurity
Testifying April 16 before a House Energy and Commerce Subcommittee on Health hearing on addressing health care cybersecurity vulnerabilities in the wake of…